A Smart City Infrastructure Ontology for Threats, Cybercrime, and Digital Forensic Investigation
Yee Ching Tok, Davis Yang Zheng, Sudipta Chattopadhyay
TL;DR
The paper addresses the need for scalable, interoperable representations of Smart City Infrastructure-related threats, cybercrime, and digital forensic evidence. It introduces Scope, a modular extension of the Unified Cyber Ontology (UCO) and CASE, built in OWL2 to incorporate SCI threat models, evidence types, and MITRE ATT&CK/CAPEC mappings aligned with ISO standards. Through three scenario-based evaluations modeled on real-world APT activity, Scope is shown to provide richer SCI-specific context and improved interoperability relative to UCO/CASE alone, enabling faster triage, attribution, and containment in cyber-physical environments. The work contributes a public Scope ontology and demonstrates its potential to support collaborative DFIs and LEAs in smart city deployments, with plans for future extensions and industry studies.
Abstract
Cybercrime and the market for cyber-related compromises are becoming attractive revenue sources for state-sponsored actors, cybercriminals and technical individuals affected by financial hardships. Due to burgeoning cybercrime on new technological frontiers, efforts have been made to assist digital forensic investigators (DFI) and law enforcement agencies (LEA) in their investigative efforts. Forensic tool innovations and ontology developments, such as the Unified Cyber Ontology (UCO) and Cyber-investigation Analysis Standard Expression (CASE), have been proposed to assist DFI and LEA. Although these tools and ontologies are useful, they lack extensive information sharing and tool interoperability features, and the ontologies lack the latest Smart City Infrastructure (SCI) context that was proposed. To mitigate the weaknesses in both solutions and to ensure a safer cyber-physical environment for all, we propose the Smart City Ontological Paradigm Expression (SCOPE), an expansion profile of the UCO and CASE ontology that implements SCI threat models, SCI digital forensic evidence, attack techniques, patterns and classifications from MITRE. We showcase how SCOPE could present complex data such as SCI-specific threats, cybercrime, investigation data and incident handling workflows via an incident scenario modelled after publicly reported real-world incidents attributed to Advanced Persistent Threat (APT) groups. We also make SCOPE available to the community so that threats, digital evidence and cybercrime in emerging trends such as SCI can be identified, represented, and shared collaboratively.